files.gallery的nginx部署备忘录

由于给files.gallery开了全部权限, 防止文件泄露针对location /进行了限制访问.

server {
    server_name gallery.XX.net;
    index index.php;
    root /home/gallery/web;
        location =/ {}
        location / { deny all;}
        location /.well-known/acme-challenge/ { return 200; }
        location ~ \.php(?:$|/) {
                        try_files $uri = 404;
                        fastcgi_pass unix:/dev/shm/php8-fpm.sock;
        }
}

设定ssl证书

dnf install epel-release -y
dnf install certbot python3-certbot-nginx -y
certbot --nginx -d XXX.net --agree-tos -m [email protected]
echo "0 3 * * 6 /usr/bin/certbot renew --quiet"> /etc/cron.d/certbot

使用cloudflare后nginx传递客户端真实ip

主要两个地方注意一下, cloudflare会传送一个CF-Connecting-IP的header参数为访客的真实ip,所以  read_ip读取它.

然后设定REMOTE_ADDR读取IP, 可以从FORWARDED也可以用CF-Connecting-IP参数

set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
real_ip_header CF-Connecting-IP;
proxy_set_header REMOTE_ADDR $HTTP_X_FORWARDED_FOR;

[重写]whmcs nginx rewrite规则

之前发的太拉胯了, 重新写了一份.

针对后台文件夹更名后, 用try_files判断,免去写白名单验证了, 官方爱咋折腾出了问题再说了.

CUSTOMADMINPATH为匹配后台自定义admin目录

location ~ [^/]\.php(/|$) { YOUR php-fpm configure in HERE }
location ~  ^/{ try_files $uri $uri/ /index.php?rp=$uri; }
location ~  ^/(admin|CUSTOMADMINPATH_1|CUSTOMADMINPATH_2)/ { try_files $uri $uri/ index.php?rp=$uri; }

 

原始的弃用了:

location ~ /templates/.*\.tpl$ { return 404; }
location ^~ /vendor/ { return 404; }
location ~  ^/(images/em|invoice|login|password|account|store|download|knowledgebase|announcements|clientarea/ssl-certificates|user/(verification|accounts|profile|password|security|verify)|cart/(domain/renew)|domain/pricing|cart/order|images/kb)/?(.*)$  {  rewrite (.*)  /index.php?rp=$uri last; }
location ~  ^/(.*)/(client|client!\.php|client/(.*)|table/(.*)|search!\.php|search/(.*)|apps|billing|setup|user|services|addons|domains|utilitiesemailmarketer!\.php|utilities/(.*)|logs|help!\.php|help/license|modules|image/(recent|upload)|validation_com/(.*))/?(.*)$ {  try_files $uri $uri/ /$1/index.php?rp=$uri;  }

如果whmcs放在二级目录下则小改一下.

把uri改成rewrite 的正则匹配.

centos9安装openresty导入gpg报错解决办法

解决办法:

update-crypto-policies --set LEGACY
rpm --import https://openresty.org/package/pubkey.gpg

或者是dnf带上 --nogpgcheck参数

dnf install -y --nogpgcheck openresty 

把gpgcheck检查去掉也行.

sed -i 's/gpgcheck=1/gpgcheck=0/g'  /etc/yum.repos.d/openresty.repo

 

没导入时候报错提示

GPG Keys are configured as: https://openresty.org/package/pubkey.gpg
Error: GPG check FAILED

当导入时候的错误提示

warning: Signature not supported. Hash algorithm SHA1 not available.
error: https://openresty.org/package/pubkey.gpg: key 1 import failed

总结:更新update-crypto-policies设置

文章内容源自:https://www.redhat.com/en/blog/rhel-security-sha-1-package-signatures-distrusted-rhel-9

nginx反向代理解决googleapis字体库问题

虽然有第三方的,但是自己nginx里面写死配置来得安稳些.

用法就是在网站目录里面直接引用一下配置文件include googleapis.conf;

这里做了一个虚拟目录/assets/vendor/, 可以根据自己的需求设置.

 

# cat ../googleapis.conf
sub_filter_once off;
sub_filter_types text/css text/xml text/javascript;
sub_filter "https://fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "//fonts.googleapis.com" "/assets/vendor/googleapis";
sub_filter "https://ajax.googleapis.com" "/assets/vendor/ajax";
sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
proxy_hide_header Link;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;

location ~  ^/assets/vendor/googleapis/ {
proxy_set_header Accept-Encoding "";
  rewrite ^/assets/vendor/googleapis/(.+)$ /$1 break;
  proxy_pass https://fonts.googleapis.com;
  proxy_set_header Host "fonts.googleapis.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1d;
  sub_filter "https://fonts.gstatic.com" "/assets/vendor/fonts_gstatic";
}

location ~ ^/assets/vendor/fonts_gstatic/ {
  rewrite ^/assets/vendor/fonts_gstatic/(.+)$ /$1 break;
  proxy_pass https://fonts.gstatic.com;
  proxy_set_header Host "fonts.gstatic.com";
  proxy_set_header User-Agent "Mozilla/5.0 (Windows NT 10.0; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0";
  expires 1y;
}

location ~  ^/assets/vendor/gstatic/ {
  rewrite ^/assets/vendor/gstatic/(.+)$ /$1 break;
  proxy_pass https://www.gstatic.com;
  proxy_set_header Host "www.gstatic.com";
  expires 1y;
}

location ~  ^/assets/vendor/ajax/ {
  rewrite ^/assets/vendor/ajax/(.+)$ /$1 break;
  proxy_pass https://gajax.googleapis.com;
  proxy_set_header Host ajax.googleapis.com;
  expires 1y;
}

nginx fastcgi中SCRIPT_FILENAME的设置

在官方wiki找到的

fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name

在alias下路径报错

-----------------------------------------------------------------------------

fastcgi_param SCRIPT_FILENAME $request_filename

index取值忽略fastcgi_index的设定, 直接取http或者server字段下的index设定值.

 

https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/

whmcs的nginx伪静态规则

  location ~ /(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*) { rewrite (.*) /index.php; }
  location ~ /(.*)/(addons|apps|search|domains|help|services|setup|utilities|clients)(.*) { rewrite (.*) /admin/index.php;}

方案一:

if (!-f $request_filename){ rewrite (.*) /index.php;  }

方案二:

 rewrite ^/(announcements|knowledgebase|download|store|password|cart|account|subscription)(.*)$ /index.php;

其他设置:

  location ~* \.(tpl|inc|cfg)$ {  deny all; }
  location ^~ /vendor/ { deny all; }


方案一主要匹配本地没有的就丢index.php上去,  也可以用try_files

方案二主要是直接进行rewrite.


其他配置主要是隐藏一些目录和文件不让访问.


 总的来说用 location来匹配稍微稳妥一些, 例如 /admin/clientsservices.php 会被为静态匹配到, 还是得运用if来判断匹配.

nginx正向代理

server {  
    listen 8080;  
    resolver 114.114.114.114; 
    location / {  
        proxy_pass $scheme://$http_host$request_uri;
        proxy_set_header HOST $http_host;
        proxy_buffers 256 4k;
        proxy_max_temp_file_size 0k; 
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_next_upstream error timeout invalid_header http_502;
    }  
deny 127.0.0.1;
}


nginx php.conf配置

location ~ .*\.(php)?$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass  unix:/dev/shm/php-cgi.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
        include fastcgi_params;
        }
location ~ .*\.(htm|gif|jpg|jpeg|png|bmp|ico|flv|swf|txt|wma)$ { expires  30d;}
location ~ .*\.(js|css)?$ { expires   1d;}
location ~ .*\.(tpl|svn|asp|aspx|jsp|do|mdb|zip|rar|bak|htc)?${ deny all; }
location ~ /0.* { deny all; }
if (!-e $request_filename) { return 444; }


nginx屏蔽搜索引擎

在http字段下加入一个map做匹配引导

map $http_user_agent $limit_bots {
     default 0;
     ~*(baiduspider|google|soso|bing|yandex|sogou|yahoo|sohu-search|yodao|YoudaoBot|robozilla|msnbot|MJ12bot|NHN|Twiceler) 1;
     ~*(AltaVista|Googlebot|Slurp|BlackWidow|Bot|ChinaClaw|Custo|DISCo|Download|Demon|eCatch|EirGrabber|EmailSiphon|EmailWolf|SuperHTTP|Surfbot|WebWhacker) 1;
     ~*(Express|WebPictures|ExtractorPro|EyeNetIE|FlashGet|GetRight|GetWeb!|Go!Zilla|Go-Ahead-Got-It|GrabNet|Grafula|HMView|Go!Zilla|Go-Ahead-Got-It) 1;
     ~*(rafula|HMView|HTTrack|Stripper|Sucker|Indy|InterGET|Ninja|JetCar|Spider|larbin|LeechFTP|Downloader|tool|Navroad|NearSite|NetAnts|tAkeOut|WWWOFFLE) 1;
     ~*(GrabNet|NetSpider|Vampire|NetZIP|Octopus|Offline|PageGrabber|Foto|pavuk|pcBrowser|RealDownload|ReGet|SiteSnagger|SmartDownload|SuperBot|WebSpider) 1;
     ~*(Teleport|VoidEYE|Collector|WebAuto|WebCopier|WebFetch|WebGo|WebLeacher|WebReaper|WebSauger|eXtractor|Quester|WebStripper|WebZIP|Wget|Widow|Zeus) 1;
     ~*(Twengabot|htmlparser|libwww|Python|perl|urllib|scan|Curl|email|PycURL|Pyth|PyQ|WebCollector|WebCopy|webcraw) 1;
 }


再到server字段或者是location字段下加入if判断

  if ($limit_bots = 1) {  return 403;  }


Supermicro IPMI/BMC nginx proxy

需要安装一个openresty或者nginx, 版本大于1.15.10

编译安装参考http://www.kvm.la/1043.html , openresty二进制包版本较低没有更新, 建议编译安装一份.

首先把IPMI的IP丢进一个ip.list的文件里面, 一行一个IP.

#/bin/bash
i=1000  #vnc start port
b=2000
# hextoip() { hex=$1;  printf "%d." 0x${hex:0:2};  printf "%d." 0x${hex:2:2};  printf "%d." 0x${hex:4:2};  printf "%d" 0x${hex:6:2};  }
#gethostip -x 10.0.12.1
stream_route_map=/etc/nginx/stream.route.map.conf
http_route_map=/etc/nginx/http.route.map.conf
echo " default 0;" > $stream_route_map
echo " default 0;" > $http_route_map
for IP in `cat /root/ipmi/ip.list | uniq -c |awk   '{ print $2 }'`;
do
i=`expr $i + 1` ;
b=`expr $b + 1` ;
HEXIP=`gethostip -x $IP | tr 'A-Z' 'a-z'` ;
echo "	   ~*($IP|$i|$b|$HEXIP)$ 	IP<$IP>|VNC<$i>|BMC<$b>|HEX<$HEXIP>;" >>$http_route_map;
echo "     ~*($b|$i)$  $IP;" >> $stream_route_map

done

nginx -s reload

阅读剩余部分...

Centos7快速部署openresty

curl https://openresty.org/package/centos/openresty.repo -so /etc/yum.repos.d/openresty.repo
yum -y -q install wget  vim-enhanced tcpdump iftop net-tools rsync 
yum -y -q install openresty 
systemctl enable openresty
ln -s  /usr/local/openresty/nginx/sbin/nginx /usr/sbin/ #把nginx文件引用到常规sbin目录
ln -s /usr/local/openresty/nginx/conf /etc/nginx #把目录软连接到常规目录
ln -s /usr/lib/systemd/system/openresty.service /usr/lib/systemd/system/nginx.service #Centos7的服务启动管理nginx别名
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload

基础部署完成后,用rsync同步数据后再做其他基础配置基本完成管理.

nginx lua暴力简单过滤cc攻击

原文地址:http://jtwo.me/use-lua-to-protect-nginx-away-from-cc-attack

好像原文出处的页面已经打不开了,原生的nginx需要编译lua,openresty可以直接用。

location ~ \.php$ {
    rewrite_by_lua '
        local md5token = ngx.md5(ngx.var.remote_addr .. ngx.var.http_user_agent)
        if (ngx.var.cookie_humanflag ~= md5token) then
            ngx.header["Set-Cookie"] = "humanflag=" .. md5token
            return ngx.redirect(ngx.var.scheme .. "://" .. ngx.var.host .. ngx.var.uri)
        end
    ';
    ... ...
}

location ~ \.php$ {
    if ($cookie_ipaddr != "$remote_addr"){
        add_header Set-Cookie "ipaddr=$remote_addr";
        rewrite .* "$scheme://$host$uri" redirect;
    }

    ... ...
}